A newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network.
The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team. Southeast Asia and European countries are some of the other regions where infections have

Vulnerability / Threat Intelligence

A newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network.

The router hijacking activity has been codenamed **Operation WrtHug** by SecurityScorecard's STRIKE team. Southeast Asia and European countries are some of the other regions where infections have been recorded.

The attacks likely involve the exploitation of six known security flaws in end-of-life ASUS WRT routers to take control of susceptible devices. All the infected routers have been found to share a unique self-signed TLS certificate with an expiration date set for 100 years from April 2022.

SecurityScorecard said 99% of the services presenting the certificate are ASUS AiCloud, a proprietary service designed to enable access to local storage via the internet.

"It leverages the proprietary AiCloud service with n-day vulnerabilities in order to gain high privileges on End-Of-Life ASUS WRT routers," the company said in a report shared with The Hacker News, adding the campaign, while not exactly an Operational Relay Box (ORB), bears similarities with other China-linked ORBs and botnet networks.

The attacks likely exploit vulnerabilities tracked as CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492 for proliferation. Interestingly, the exploitation of CVE-2023-39780 has also been linked to another Chinese-origin botnet dubbed AyySSHush (aka ViciousTrap). Two other ORBs that have targeted routers in recent months are LapDogs and PolarEdge.

Out of all the infected devices, seven IP addresses have been flagged for exhibiting signs of compromise associated with both WrtHug and AyySSHush, potentially raising the possibility that the two clusters could be related. That being said, there is no evidence to back this hypothesis beyond the shared vulnerability.

The list of router models targeted in the attacks is below -

*   ASUS Wireless Router 4G-AC55U
*   ASUS Wireless Router 4G-AC860U
*   ASUS Wireless Router DSL-AC68U
*   ASUS Wireless Router GT-AC5300
*   ASUS Wireless Router GT-AX11000
*   ASUS Wireless Router RT-AC1200HP
*   ASUS Wireless Router RT-AC1300GPLUS
*   ASUS Wireless Router RT-AC1300UHP

It's currently not clear who is behind the operation, but the extensive targeting of Taiwan and overlaps with previous tactics observed in ORB campaigns from Chinese hacking groups suggest it could be the work of an unknown China-affiliated actor.

"This research highlights the growing trend of malicious threat actors targeting routers and other network devices in mass infection operations," SecurityScorecard said. "These are commonly (but not exclusively) linked to China Nexus actors, who execute their campaigns in a careful and calculated manner to expand and deepen their global reach."

"By chaining command injections and authentication bypasses, threat actors have managed to deploy persistent backdoors via SSH, often abusing legitimate router features to ensure their presence survives reboots or firmware updates."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

WrtHug Exploits Six ASUS WRT Flaws to Hijack Tens of Thousands of EoL Routers Worldwide

Orem, United States, November 18th, 2025, CyberNewsWire SecurityMetrics, a leading innovator in compliance and cybersecurity, today announced that…

Orem, United States, November 18th, 2025, CyberNewsWire

SecurityMetrics, a leading innovator in compliance and cybersecurity, today announced that its Shopping Cart Inspect (SCI) solutions has been selected as winner of the **“Data Leak Detection Solution of the Year”** award in the 9th annual CyberSecurity Breakthrough Awards program. Conducted by CyberSecurity Breakthrough, an independent market intelligence organization, the annual program recognizes the most innovative companies, products, and technologies driving progress in the global information security industry.

SCI reduces the chances of an e-commerce skimming attack through the inspection of a website’s shopping cart by a SecurityMetrics Forensic Investigator. The process involves the use of **patented WIM Technology** to determine if a website has fallen victim to JavaScript payment skimming. WIM technology can detect web skimming at the moment it is triggered and will alert a merchant if a webpage has been compromised, through tools like Shopping Cart Inspect and Shopping Cart Monitor.

Using Inspect, SecurityMetrics Forensic Analysts review the rendered webpage code in a shopping cart URL to collect evidence of a skimming attack. Inspect is non-intrusive and website reviews are conducted without business interruption or merchant installation/intervention.

Following the inspection, SecurityMetrics Forensic Analysts create a **risk report** illustrating a risk rating and include a list of vulnerabilities, ranking them from medium to high-risk based on the CVSS scale. The reports include a description of malicious JavaScript, identification of suspicious URLs on the website, a list of third-party domains participating in the e-commerce experience, and remediation recommendations. 24/7 technical support is also available to help with remediation.

> “We understand how important it is to keep a business running as usual, so we designed SCI to discover website skimming attacks while still allowing business to continue uninterrupted. Our solution has been purpose-built to strengthen merchants, and our Forensic Analysts are at the forefront of emerging cyber threats,” said Brad Caldwell, CEO of SecurityMetrics. “Our e-commerce investigations conducted by our expert Forensics Investigators will continue to identify trends that we will meet head-on with solutions that prioritize security technology for our valued global customer base.”

The 2025 awards program received thousands of nominations from more than 20 countries around the world, representing everything from disruptive startups to established global enterprises. This year’s winners embody the cutting edge of cybersecurity technology, delivering next-generation protection and resilience in today’s increasingly complex threat landscape.

> “SecurityMetrics knows that keeping your website up and running is vital to your business,” said Steve Johansson, managing director, CyberSecurity Breakthrough. “SCI from SecurityMetrics helps businesses tackle vulnerabilities confidently and gives them the tools and support they need to identify malicious scripts, protect their business, and ensure customer trust. That makes SCI our choice for 2025’s ‘Data Leak Detection Solution of the Year!’”

**About SecurityMetrics**

SecurityMetrics secures peace of mind for organizations that handle sensitive data. They have tested over 100 million systems for data security and compliance. Industry standards don’t keep up with the threat landscape, which is why SecurityMetrics hold their tools, training, and support to a higher, more thorough standard of performance and service. Never have a false sense of security.

**About CyberSecurity Breakthrough**

Part of Tech Breakthrough, a leading market intelligence and recognition platform for global technology innovation and leadership, the CyberSecurity Breakthrough Awards program is devoted to honoring excellence in information security and cybersecurity technology companies, products and people. The CyberSecurity Breakthrough Awards provide a platform for public recognition around the achievements of breakthrough information security companies and products in categories including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Web and Email Security, UTM, Firewall and more. For more information, users can visit CyberSecurityBreakthrough.com.

Tech Breakthrough LLC does not endorse any vendor, product or service depicted in our recognition programs, and does not advise technology users to select only those vendors with award designations. Tech Breakthrough LLC recognition consists of the opinions of the Tech Breakthrough LLC organization and should not be construed as statements of fact. Tech Breakthrough LLC disclaims all warranties, expressed or implied, with respect to this recognition program, including any warranties of merchantability or fitness for a particular purpose.

**Contact**

Corporate Communications Manager

Landry French

SecurityMetrics

landry.french@securitymetrics.com

+1 801-995-6431

SecurityMetrics Wins “Data Leak Detection Solution of the Year” in 2025 CyberSecurity Breakthrough Awards Program

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges. 

This issue affects all current versions.

Users are recommended to upgrade to version 3.5.0, which fixes the issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-wq4c-57mh-5f7g: Apache Causeway vulnerable to deserialization in Java

Mindgard reveals 4 critical security flaws in the popular Cline Bot AI coding agent. Learn how prompt injection can hijack the tool for API key theft and remote code execution.

AI coding assistants are fast becoming standard options in software development. However, a recent security audit of Cline Bot, one of the most popular assistants, revealed four serious security issues, including three critical flaws, that could allow a clever attacker to steal private information or run malicious software on a developer’s computer.

This ground-breaking research was conducted by AI security specialist Mindgard and shared with Hackread.com. The audit began on August 22, 2025, and Mindgard found these problems within just two days (by August 24), highlighting major security gaps in tools that are common nowadays.

****Turning a Helper into a Hazard****

The Cline Bot assistant is very popular, with over 3.8 million installs and more than 1.1 million daily active users. AI coding assistants, as we know it, are meant to be helpful, like a “golden retriever,” as the researchers put it, “endlessly eager, wildly helpful, and perhaps a little too trusting.”

But that’s not entirely the case here, as Mindgard demonstrated how a tricky attacker could hide a prompt injection inside source code files. When a developer simply opens a malicious project and asks Cline Bot to analyse it, the AI can be tricked into carrying out dangerous actions. These four issues include:

1.  Theft of Secret Keys: The AI could be tricked into sending sensitive API keys and other private data to an attacker’s location.
2.  Unauthorised Code Execution: An attacker could force the AI to download and run malicious software on the developer’s computer without needing approval.
3.  Bypassing Safety Checks: Attackers could override the AI’s internal safety rules, making it execute commands it should have flagged as dangerous.
4.  Leakage of Model Information: An error message could reveal secret details about the underlying AI model being used.

****The Secret Instructions Leak****

A key part of Mindgard’s success was getting hold of the Cline Bot’s system prompt– a set of secret instructions that tells the AI how to behave and what rules to follow. While some security experts believe this information isn’t a major risk, Mindgard strongly disagrees.

“Disclosure of the system prompt itself does not present the real risk; the security risk lies with the underlying elements,” researchers stated in their technical blog post, as Mindgard’s experiment showed that knowing the exact wording of the prompt helps attackers find loopholes much more precisely.

Further probing revealed that by manipulating how the AI processes project files, attackers could force the tool to ignore its own safety checks. For instance, in one test against Cline’s newer Sonic model (released on August 20, 2025), the researchers showed they could get the AI to execute an unsafe command (like downloading and running malicious code) without ever asking the user for approval.

It is worth noting that all four vulnerabilities were promptly shared with the vendor, who has since worked to fix the issues, but did not respond to the researchers accordingly.

Cline Bot AI Agent Vulnerable to Data Theft and Code Execution

Schools in the US are installing vape-detection tech in bathrooms to thwart student nicotine and cannabis use. A new investigation reveals the impact of using spying to solve a problem.

Vaping Is ‘Everywhere’ in Schools—Sparking a Bathroom Surveillance Boom

Singapore, Singapore, 19th November 2025, CyberNewsWire

**Singapore, Singapore, November 19th, 2025, CyberNewsWire**

The collaboration advances enterprise grade application security into decentralized ecosystems, uniting Checkmarx’s AppSec expertise with Web3 specialization by CredShields.

CredShields, a leading Web3 security firm, has partnered with Checkmarx, the global leader in agentic AI-powered application security testing, to work with AI-driven smart contract audits, vulnerability research, and blockchain security tooling from CredShields to work alongside the Checkmarx application security platform.

As the application security market accelerates toward an expected US $55 billion by 2029, decentralized architectures introduce new attack surfaces that traditional AppSec programs are not designed to address. Nearly half of the largest DeFi breaches trace back to smart contract flaws, and in 2025 to date, losses from cryptocurrency service hacks already surpass US $2.1 billion and are projected to climb further. Research further indicates that up to 89% of smart contracts contain vulnerabilities, highlighting the need for Web3-native security standards alongside legacy security frameworks.

Through this agreement, Checkmarx is adding CredShields as a Web3 security partner to provide customers with dedicated support for decentralized environments. The collaboration combines Checkmarx’s enterprise AppSec leadership with deep expertise in smart contract auditing, vulnerability assessment, and blockchain security research from CredShields, enabling organizations to extend their existing DevSecOps programs into Web3 with minimal friction.

> “This partnership represents a natural evolution in the AppSec landscape,” said **Shashank**, Co-founder of CredShields. “Together with Checkmarx, we’re delivering a seamless layer of security that protects enterprise systems, decentralized applications, and smart contracts with the same rigor and intelligence.”

**The partnership will focus on:**

*   Comprehensive security coverage for decentralized applications, smart contracts, and wallets
*   AI-assisted vulnerability detection and manual audits powered by CredShields’ proprietary systems
*   Joint contributions to global security frameworks, including OWASP Smart Contract Security Standards and Smart Contract Top 10
*   Enterprise enablement to integrate Web3 security into existing DevSecOps pipelines

> “As enterprises extend their digital footprint into Web3, new attack surfaces emerge,” said **Scott Sieper**, Director of Product Management at Checkmarx. “Partnering with CredShields enables us to bring our deep AppSec expertise to blockchain environments and help organizations innovate with confidence while maintaining the same rigorous security standards they expect from Checkmarx.”

Checkmarx and CredShields aim to redefine enterprise application security for the decentralized era, ensuring that innovation and security evolve in parallel as organizations adopt blockchain at scale.

For more information about securing code at the speed of AI and the Checkmarx One platform, users can visit the website.

**About CredShields**

CredShields is a Web3 security firm specializing in manual smart contract audits, AI-powered vulnerability detection, and security automation across blockchain ecosystems. A contributor to the OWASP Smart Contract Top 10, CredShields protects leading protocols and enterprises through full-spectrum decentralized security solutions.

Users can watch the demo: https://lnk.credshields.com/checkmarx-demo

**Contact**

**CredShields**  
**marketing@credshields.com**

CredShields Joins Forces with Checkmarx to Bring Smart Contract Security to Enterprise AppSec Programs

Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild.
The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute

Vulnerability / Network Security

Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild.

The medium-severity vulnerability, tracked as **CVE-2025-58034**, carries a CVSS score of 6.7 out of a maximum of 10.0.

"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability \[CWE-78\] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands," the company said in a Tuesday advisory.

In other words, successful attacks require an attacker to first authenticate themselves through some other means and chain it with CVE-2025-58034 to execute arbitrary operating system commands.

It has been addressed in the following versions -

*   FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above)
*   FortiWeb 7.6.0 through 7.6.5 (Upgrade to 7.6.6 or above)
*   FortiWeb 7.4.0 through 7.4.10 (Upgrade to 7.4.11 or above)
*   FortiWeb 7.2.0 through 7.2.11 (Upgrade to 7.2.12 or above)
*   FortiWeb 7.0.0 through 7.0.11 (Upgrade to 7.0.12 or above)

The company credited Trend Micro researcher Jason McFadyen for reporting the flaw under its responsible disclosure policy.

Interestingly, the development comes days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2.

"We activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing," a Fortinet spokesperson told The Hacker News. "Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency."

It's currently not clear why Fortinet opted to patch the flaws without releasing an advisory. But the move has left defenders at a disadvantage, effectively preventing them from mounting an adequate response.

"When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders," VulnCheck noted last week.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Fortinet Warns of New FortiWeb CVE-2025-58034 Vulnerability Exploited in the Wild

A mongoc_bulk_operation_t may read invalid memory if large options are passed.

GHSA-mwcc-7vpp-xmv9: MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

Tag

#vulnerability